Contrib.social

Audit warning messages shown in the status report after installation

Open on Drupal.org β†’
Created on 6 December 2024, 16 days ago

Problem/Motivation

When you install Drupal CMS (beta/RC) and visit Status report, there are currently 5 warnings:

  1. Configuration files
    Protection disabled. The file sites/default/settings.php is not protected from modifications and poses a security risk. You must change the file's permissions to be non-writable.
  2. Experimental modules installed
    Experimental modules found: Navigation. Experimental modules are provided for testing purposes only. Use at your own risk.
  3. Media
    It is potentially insecure to display oEmbed content in a frame that is served from the same domain as your main Drupal site, as this may allow execution of third-party code. You can specify a different domain for serving oEmbed content here.

    This is a core issue: ✨ Expose a way to suppress oEmbed security warnings Active

  4. Media
    The default display for the SVG Image media type is not currently using an image style on the Image field. Not using an image style can lead to much larger file downloads. If you would like to change this, add an image style to the Image field.
  5. Toolbar and Navigation modules are both installed
    The Navigation module is a complete replacement for the Toolbar module and disables its functionality when both modules are installed. If you are planning to continue using Navigation module, you can uninstall the Toolbar module now.

    This is an open issue in Gin: πŸ› Status warning: Toolbar and Navigation modules are both installed Active

Can we do something with the three remaining I have not linked to specific issues (poinst 1, 2, 4), so that we have as few of them as possible?

Steps to reproduce

See /admin/reports/status after the installation.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Active

Component

General

Created by

πŸ‡ΈπŸ‡°Slovakia poker10

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @poker10
  • Comment 10 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia pameeela

    I think we need to deal with these separately.

    I created πŸ“Œ Resolve warning about SVG media type not using image styles Active for the SVG warning and two other issues are linked in the IS already. I guess Navigation won't be marked stable before v1, in which case we could suppress it in Gin.

    The only other one is:

    Configuration files
    Protection disabled. The file sites/default/settings.php is not protected from modifications and poses a security risk. You must change the file's permissions to be non-writable.

    But this is by design in DDEV that these are writeable. I'm not super worried about this warning appearing for DDEV (or other local tool) users since there's some assumed awareness. I did create πŸ“Œ Update warning about write permissions Active for a different warning about this in core on install. But I don't think Drupal CMS can/should remove this warning since it is something the user should be aware of? If it were to appear in the (future) browser-based trial experience, that would be a problem. But for local dev, I think it's OK?

  • Comment 9 days ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    Thanks for creating the issues!

    But I don't think Drupal CMS can/should remove this warning since it is something the user should be aware of? If it were to appear in the (future) browser-based trial experience, that would be a problem. But for local dev, I think it's OK?

    Agree, but I saw the warning when installed the RC1 from zip archive. Is that still considered as a dev version?

  • Comment 9 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia pameeela

    The zip archive comes configured to use DDEV. It's not a "dev version", but it is for local development. DDEV specifically sets $settings['skip_permissions_hardening'] = TRUE; in settings.ddev.php. If you are working locally using something else, it would depend on how that is set up, but if it doesn't have this then you wouldn't see the warning.

  • Comment 9 days ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    So just to confirm, if we remove that folder in πŸ› Remove .ddev directory from composer create-project Active , then in the Drupal CMS 1.0.0 zip file the warning will not be present? If so, I think then it is OK. Thanks!

  • Comment 9 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia pameeela

    No. If you are using DDEV for local development, you will see the warning, unless you override your local settings to remove $settings['skip_permissions_hardening'] = TRUE;

  • Comment 7 days ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    Installed the rc1 without ddev and the message is not there, so I suppose this should be ok :) Thanks.

    Regarding the Navigation module and info about the fact that it is still experimental - could we at least mention this on 1.0.0 release notes with a link to the docs page here ( https://www.drupal.org/about/core/policies/core-change-policies/experime... β†’ ), so that users are aware, that the module is covered by security advisory policy and should be safe to use? Do we need an issue for this?

    Then I think we can close this, as we have other messages covered.

  • Comment 7 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia pameeela

    Thanks for confirming.

    Adding it to the release notes is one option, I created πŸ“Œ Handle comms around Navigation being experimental Active to address this.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024